Thread: [SECURITY] Securing /var/tmp and Mounting /tmp As a Separate Filesystem

Hey everyone,

This is a quick tutorial on securing your server against unwanted and dangerous access.

By default, it is very easy to access a server's /var/tmp and run some nasty executables. This guide will help you to stop that. Not many people actively do this when securing their servers but it is a necessity to ensure security.

As with any other guides I write, I try to keep it short and too the point, with more tags than general text ;-)

So, onwards!

##########Part 1, deleting and symlinking /var/temp##########

1. SSH in to your server
-

Code:

SSH [-p port] user@host/ip

2. Remove /var/tmp

Code:

rm -fR /var/temp

3. Symlink (symbolic link) it to /tmp

Code:

ln -s /tmp /var/tmp

##########Part 2, mounting /tmp as a separate filesystem##########

1. Backup your fstab

Code:

cp /etc/fstab /etc/fstab.bak

2. Create a 1GB temp mount partition

Code:

cd /var

Code:

dd if=/dev/zero of=tmpMnt bs=1024 count=1048576

3. Format the new partition

Code:

mkfs.ext3 -j /var/tmpMnt

*Answer "Y" when asked.

4. Backup the old /tmp

Code:

cp -Rp /tmp /tmp_backup

5. Mount the new /tmp filesystem

Code:

mount -o loop,noexec,nosuid,rw /var/tmpMnt /tmp

6. Set the necessary permissions

Code:

chmod 1777 /tmp

7. Copy files back to /tmp [code]cp -Rp /tmp_backup/* /tmp/ [/code] *Code tags decided not to work here. Don't miss it!*

8. Add new /tmp to fstab

Code:

echo “/var/tmpMnt /tmp ext3 loop,rw,noexec,nosuid,nodev 0 0″ >> /etc/fstab

And there you go. Your server is now a lot more secure than it was before and chances are, you'v learnt a couple new commands!

Cheers,
-Pulser

I think your claim "/var/temp is insecure" begs an explanation...

awesome mate awesome thanks :)

You had become smart in just couple of Months cool :P

If you managed to gain shell access, it is very easy to access a user's homedir and run some nasty executables. So, the gain in security by just addressing /tmp is very low at best.

A real improvement is to run any service that can be used as an attack vector (i.e. at least the webserver) in a BSD jail or in a Linux container.

As addition, if you manage your own DS usign OpenVZ, then this article may makes you easier.

Code:

http://www.eukhost.com/forums/f29/how-do-i-mount-tmp-vpses-noexec-nosuid-options-1025/

Scroll down little bit to get the easy task to do. Hope it help.

Originally Posted by pyroscope

If you managed to gain shell access, it is very easy to access a user's homedir and run some nasty executables. So, the gain in security by just addressing /tmp is very low at best.

A real improvement is to run any service that can be used as an attack vector (i.e. at least the webserver) in a BSD jail or in a Linux container.

If someone manages to gain shell access on your box, then you haven't bothered with security at all. I never professed this to be all that is needed to secure your server, it is but one of many processes that should be carried out. Additionally, I would recommend you make an introduction here, so that you can become an actual member of our site.